If you are new to Burp and are having problems, please first read the help on Getting Started with Burp Suite, and follow the instructions there. Otherwise, the problems and solutions below might help you.
Once you have confirmed that the proxy listener is up and running, you need to configure your browser to use it as its HTTP proxy server. To do this, you change your browser's proxy settings to use the proxy host address (by default, 127.0.0.1) and port (by default, 8080) for both HTTP and HTTPS protocols, with no exceptions.This ensures that all HTTP and HTTPS traffic will pass through Burp. 2、然后需要下载好一个burpsuite的软件,如果是jar包就用java -jar 打开就可以了。 3、如果要使用代理的话,可以使用火狐插件FoxyProxy设置。 4、Burp Suite 2020也要对应设置好。 5、先点击这里就可以对访问的流量进行一个拦截。. FoxyProxy is a popular proxy switcher available for both Firefox and Google Chrome. Here, we will be installing and configuring FoxyProxy in Firefox to use in conjunction with Burp Suite. Step 1: Add FoxyProxy to Firefox The first thing we need to do is start.
Burp doesn't run
Make sure you have a suitable version of Java installed. Then start Burp from the command line. Look at any error messages or other output that appears on the command line, which should indicate the cause of the problem.
I get an error message saying NoClassDefFoundError
When running Burp from the command line, make sure you have included the
-jar
argument followed by the location of the Burp JAR file. If you're still having problems, check that your command is launching the correct version of Java. Run the command java -version
and confirm that the version being executed is 1.8 or later. If you have installed a later version of Java but an older version is still being executed, then replace 'java' with an absolute path to the correct java executable on your system. If you're still having problems, your Java installation might be corrupted, so reinstall it. If you get this error message when trying to launch Burp with a Burp Extender plugin, then check that your BurpExtender class is declared in the burp package, and resides inside a folder called burp within your extension's JAR file.
I've unpacked the Burp JAR file; what next?
You don't need to unpack or unzip the Burp JAR file. This probably happened because your computer is associating the .JAR file extension with some archiving software. You can change this association to associate with Java, or better, you can start Burp from the command line.
My browser can't make any requests
If your browser is always waiting and not showing any actual content, then please try the following steps. After each step, check whether you are still having problems, and only continue to the next step if things are not working.
- In Burp, go to the Proxy tab, and the Intercept sub-tab. If this is showing an intercepted HTTP request, then turn off interception (click on the 'Intercept is on' button to toggle the interception status). Your browser should now work as normal. See Getting Started with Burp Proxy for more help on the basics of using Burp Proxy.
- Try visiting another domain with your browser (ideally a well-known public domain). If this works, then the problem might relate to the specific web site you originally visited.
- Go to the Proxy tab, and the Options sub-tab. In the Proxy Listeners section, the table should show at least one entry where the Running checkbox is checked. If this is unchecked, try to check it. If the box cannot be checked, and the Alerts tab shows a message saying 'Failed to start proxy service' then Burp is not able to open the specified port and interface. This is often because the port is in use by another process. Select the item in the table, click the 'Edit' button, and change the port number to a different one. Click 'OK' and see whether the listener can now be enabled. You may need to try a few different ports, or query your computer's configuration to locate an available port. Then proceed to the next step to update your browser's proxy configuration with the new port number.
- Check that your browser's proxy settings are correctly configured, and are using the same IP address and port number as configured in a running Proxy listener (in Burp's default settings, this is IP address 127.0.0.1 and port 8080, may be different in your current configuration). For further details, see Configuring Your Browser.
- In Burp, go to the Options tab, and the Connections sub-tab. In the 'Upstream Proxy Servers' section, confirm whether any upstream proxies are configured, and if so whether these settings are correct for your network's setup.
- Make some more requests from your browser (e.g. press refresh a few times). Look in the Alerts tab to see if any new entries are being generated. If so, these entries might indicate the cause of the problem.
- Go to the Burp menu, and select 'Restore defaults' for all options. Then close Burp down gracefully by selecting 'Exit' from the Burp menu. Start Burp again. Shut down all your browser instances, and then open a new browser window.
Burp isn't intercepting anything
In Burp, go to the Proxy tab, and the History sub-tab. Make some more requests from your browser (e.g. press refresh a few times), and check whether any new entries are appearing in the Proxy history. If so, then Burp is processing your browser traffic but is not presenting any messages for interception. Go to the Proxy Intercept tab, and enable master interception (click on the 'Intercept is off' button to toggle the interception status). Then go to the Proxy Options tab, and click the 'Restore defaults' button in the 'Intercept Client Requests' and 'Intercept Server Responses' sections. Make some more requests from your browser, and these should now appear in the Proxy Intercept tab.
If your browser is loading pages correctly but no items are appearing in the Proxy history, you need to check your browser proxy settings. Your browser should be configured to use Burp for both HTTP and HTTPS; any 'automatic' proxy options should be disabled, and any 'exceptions' to the proxy settings should be removed. If you are unsure, follow carefully the steps in Configuring Your Browser to ensure your browser is correctly set up.
Burp isn't intercepting HTTPS requests
If your browser is sending HTTP requests through Burp, but not HTTPS requests, then your browser is probably configured to proxy only HTTP. Check in your browser proxy settings that the browser is configured to use Burp for both protocols. If you are unsure, follow carefully the steps in Configuring Your Browser to ensure your browser is correctly set up.
HTTPS websites don't work properly
If your browser is able to load HTTPS websites via Burp, but these do not function properly (e.g. the user interface is not complete or fully functional), then the application is probably attempting to load script code or other resources over HTTPS from another domain, and your browser is generating a security alert when loading these resources via Burp. You need to install Burp's CA certificate in your browser, to ensure that applications using HTTPS function properly.
I get authentication failures when using Burp
If the application you are testing uses platform authentication (which normally shows as a popup login dialog within your browser), and you get authentication failure messages when your browser is configured to use Burp, then you need to configure Burp to handle the platform authentication instead of your browser. Go to the Options tab, and the Connections sub-tab, and the Platform Authentication section. Add a new entry for each hostname used by your application, configuring the authentication type and your credentials. If you aren't sure of the authentication type, then first try NTLMv2, then NTLMv1, and then the other types. You may need to close all browser windows and open a new browser window, to prevent any browser caching from interfering with the authentication process.
I'm having performance issues
See Troubleshooting performance details for more details.
How do I run a scan?
You can launch an automated crawl-and-audit scan simply by clicking 'New scan' on the Burp dashboard and supplying the start URL. You can also launch scans in various other ways. See Scanning web sites for more details.
I cannot route traffic from mobile devices to Burp.
This issue could be due to your computer's firewall rules. Ensure that they are configured to allow connections from your mobile device.
Also, see the Support Center articles on configuring mobile devices to work with Burp.
I encounter scaling issues on Windows 10 between my 4k and normal screens
Try starting Burp Suite with these settings:
start javaw -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -jar burpsuite_pro_v1.7.23.jar
. If you’ve done any web application pen testing or bug bounty hunting, you’re probably familiar with Burp Suite. If you haven’t used Burp Suite before, this blog post series is meant for you.
What is Burp Suite and why should you use it? Burp Suite is a suite of web application testing tools that help you intercept, modify and automate your interactions with a web application. If you do CTFs, this will make your life a lot easier. And if you want to get into web application, Burp Suite is a great tool to have.
This post covers installation, configuration, and the Target and Proxy tools.
Installation and Setup
Burp Suite (from now on, just “Burp”) has a free edition and a professional version. The pro option costs $400. You can request a 7 day trial of that here, or download the free Community Edition here.
Once you’ve downloaded and installed the program, you’ll need to configure your browser to direct the traffic to Burp Suite.
Burp functions by intercepting all traffic from a browser–allowing you to inspect it, modify it, etc.–and then forwarding the requests on. There are two options for proxying traffic to Burp.
- You can either configure proxy settings within your browser settings (not recommended as you have to manually turn this on or off each time).
- You can install a browser plug-in like FoxyProxy which lets you configure the proxy once, and then turn the proxy on/off with a single click.
I recommend downloading FoxyProxy, and then creating a profile for BurpSuite. You do this by clicking the FoxyProxy icon, and then clicking options.
Next, click Add and then fill out the form (I used IP address 127.0.0.1/localhost and port 8081).
Once you’ve saved that, you can click the FoxyProxy icon again and turn the proxy on.
Depending on which browser you use, you might want to make use of browser profiles so that settings, cookies, etc. are cleared for your web testing profile. Alternatively, you could use a different browser.
You also need to set up the Burp certificate so that HTTPS requests work properly (otherwise you will get certificate warnings). See this link for details on how to set that up.
You might also consider using a VPN so that your home IP address is not blacklisted by websites that make use of WAFs.
BurpSuite Proxy Settings
Once you’ve got your browser proxy and certificates set up, open up BurpSuite. If you have the free version, you will have to select “Temporary project.” Accept the default settings.
Then, you should see a bunch of tabs. Click the “Proxy” tab and then click “Options.”
You will need to click “Add” and add the IP address and port name that you configured in FoxyProxy.
Test everything out
With FoxyProxy enabled, and the same IP address and port configured in the Proxy Options tab of Burp Suite, navigate to a web page in the browser that is using FoxyProxy.
A good example site might be http://xss-game.appspot.com
The website won’t load, because Burp has intercepted the request.
If you go to Burp, you will see something like this:
Notice that the Proxy tab and Intercept tabs are both highlighted orange. This will happen when a new event has occurred in a given tab, or some kind of alert has been generated. We’ll see this again later when we send requests to other tools in Burp Suite.
You can look at the request and its headers in any of three tabs: Raw, Headers or Hex. To complete the request, click “Forward.” If you want to stop intercepting traffic, you can click “Intercept is on” and the text (and styling) will change to say “Intercept is off.”
By default, intercept is on when you open Burp.
Proxy
We’ve already seen some of the Proxy tab while configuring the Proxy (Options sub-tab) and viewing our first intercepted request (Intercept tab).
HTTP History
If you click the HTTP History tab, you will see a chronological list of requests that Burp made. This includes the original URL we navigated to, future pages we navigate to, and all of the resources that are requested alongside those pages. For example, this screenshot shows the requests from two pages that I navigated to:
You can click on each of these and details will be loaded into the bottom pane.
If you right-click any response, you get a whole menu of options. You can add a comment, send the request to other Burp tools (which we’ll cover in upcoming blog posts), add to scope, request in browser, and more.
The concept of scope is important, and applies across many tools within Burp. We’ll cover this more in the Target section.
Burp Proxy Download
Filtering
Lastly, you can filter the HTTP history list by clicking this bar:
This filter bar appears in many places throughout the application. I wish the UI were different so it was more obvious that you can interact with it, but definitely click on it in various tools to get a sense of what your filtering options are.
As you select/de-select items, the filter bar preview will update to say what filter(s) you’ve selected.
Proxy Options
There are many other options in the Proxy > Options tab. I won’t list all of them here, but you can configure:
- What types of client requests to intercept
- How responses should be modified (removing Javascript form validation, etc.)
- Match and Replace, which allows you to use regexes to set HTTP headers. You could use this to automatically swap out your user-agent header or cookies, for example.
Target
Next, let’s click on the Target tab and then click Site Map (if it isn’t already selected).
This is similar to the HTTP history in that it shows all of the web pages and resources that you’ve requested. The SiteMap, however, shows all of these requests in a tree view that matches the structure of the website.
You can see that the lefthand pane has the XSS Game website, plus a few others ites, like Google fonts.
If we open up the tree, we can see level1, static, and other folders and files underneath. Each of these requests can be loaded in the righthand pane, with more details about the request and response in the lower pane. This might seem redundant, and it kind of is, but there are benefits to different data perspectives.
Each of the items in the lefthand pane has an icon next to it:
- The gear icon means that it’s dynamic, or that it’s sent data. In this case, I typed “hi” into the level 1 input box and clicked Send.
- Directories are denoted by folder icons.
- Individual pages are denoted by page icons. Sometimes, these have styling to them (like the JS files).
Again, we can click the filter bar and select filters for the data. These filters can include keywords, MIME types, file types, status codes, and more. If you set filters and want to remove them, click the gear icon and select “restore defaults.”
Scope
Lastly, let’s talk about scope. Scope applies to many different tools, and can be configured either in the Target > Scope tab and/or individually in different tools.
Scope is an important concept, especially if you are pen testing. If you use other tools (like Spider, which we’ll cover in upcoming posts) without a scope set, it will be time-consuming, and might also send requests to websites other than the target site. So let’s scope down our results by clicking on the “Scope” tab.
Click “Add” in the “Include in scope” section. Because I am visiting the XSS Game site, I want to only include that in my scope (and not include Google fonts, etc.)
So, I enter “xss-game” into the pop-up and click OK.
You will see a pop-up asking if you want to exclude all out-of-scope items. For now, I clicked “no”.
If you go back to the Site Map tab, you’ll see that all of the sites are still listed.
We need to apply our scope to the list. Click the filter bar and check “Show only in-scope items” and then click the filter bar again to hide it.
Now, you should only see XSS Game urls in the lefthand pane of the Site Map.
Burp Suite Recap
Burp Proxy Free
In this blog post, we covered installation and setup of BurpSuite and a proxy tool. We intercepted our first request, and reviewed filtering, options, and HTTP history in the Proxy section. Finally, we looked at the Site Map in the Target Tool, as well as how filtering, scope and icons work within this section.
Foxy Proxy Burp Suite Download
Next up will be Spider, Intruder and Repeater!